1. Technical Field
The present invention relates generally to technology for defending against cyberattacks and, more particularly, to an attack tracking system and method in which information about intrusions using malware is automatically collected and analyzed, whereby malware routes and behavior are tracked.
2. Description of the Related Art
As cyberattacks are more sophisticated, it is more difficult to analyze and respond to intrusion incidents. Accordingly, organizations cannot appropriately respond to intrusion incidents, which may lead to increased damage or incomplete recovery, which may in turn incur repeated damage.
Measures to respond to intrusion incidents may simply comprise six steps, namely advance preparations, detection of incidents, collection of evidence (information), investigation and analysis, reporting and responding, and preservation of evidence. Here, collection of evidence and investigation and analysis are major steps by which when, by who, and how the incidents occurred are analyzed and how to prevent the spread of damage and the repeat of the incidents is determined. Generally, the collection of evidence and investigation and analysis are performed using digital forensic technology for responding to intrusion incidents.
In regard to the collection of evidence (information), current digital forensic technology is configured such that system artifacts to be used for analysis, such as file systems, registry entries, web browser logs and the like, are collected based on Windows operating systems and analyzed by security specialists. However, because such analysis is performed in such a way that necessary data are collected and analyzed after an incident has taken place, the evidence required for analysis may be intentionally deleted by attackers, or important data may be deleted due to the limited capacity of log storage or the like.
Also, in regard to the collection of evidence (information) and/or investigation and analysis, current digital forensic technology limitedly collects each artifact and/or merely provides all of the collected artifacts, organized into columns in order to see them more easily. In other words, bits are provided in the form by which users can easily read them, but information, such as the interpretation of the meaning of the bits, the correlation of the bits, and the like, is not provided. Therefore, the determination of details such as “when, who, where, what, how, and why” related to an intrusion incident depends largely on the experience and knowledge of security specialists. That is, depending on the ability of security specialists, analysis results may differ, and it is difficult to systematically respond to intrusion incidents.
These days, most cyberattacks performed through malware according to a long-term plan or a short-term plan.
Therefore, what is required is the development of basic infrastructure technology that is systematic and easy to use and is capable of minimizing reliance on security specialists, effectively responding to cyberattacks such as the influx, execution, and propagation of malware, and tracking malware routes and behavior.
Here, malware routes and behavior may be tracked by analyzing information about behavior associated with main system objects (for example, files, processes, registry entries, networks, external storage media and the like), information about parent objects of the objects associated with the behavior, and the relationship between an object and an object event. Here, the behavior associated with the main system objects may include, for example, the creation, deletion, reading and copying of a file, the execution, termination and reading of a process, the reading, writing, and deletion of registry entries, a request for network access and permission therefor, a request for connecting to external storage media and permission therefor, and the like.
Additionally, specific behavior may be tracked by collecting information about certain behavior of malware. Here, information about behavior, such as access by malware to an area in which the malware can hide and the storage of malware in such an area for concealment and maintenance, the change of a configuration in order to enable the malware to be automatically run, and access by malware to a Master Boot Record (MBR) area or a Volume Boot Record (VBR) area in order to cause a system crash, may be collected and used for analysis.
Meanwhile, as techniques for collecting information to be used for analysis, there are techniques for collecting system artifacts for forensic analysis, techniques for collecting information about system objects by hooking system events, and techniques for collecting information about system objects using kernel drivers.
Here, because forensic technology depends on analysts' determinations, it is difficult to automate. Also, hooking techniques may have low security when they are performed in various execution environments, and it is highly probable that they will conflict with another security agent installed in an operating system. Techniques using kernel drivers are disadvantageous in that a lot of time is required for stabilization due to the characteristics thereof.
In other words, because the existing techniques for collecting information to be used for analysis have limitations in the ability to be stably and continuously used to collect information or to be used for automated analysis, the introduction of new techniques by which information to be used for automated analysis for tracking is collected in real time is required. Also, an architecture in which automated analysis may be performed using the object information collected by the new techniques is required.